Sudden DNS issues
Getting these in the logs: named[652] malformed transaction: managed-keys.bind.jnl last serial 1204 != transaction first serial 1159 named[652] managed-keys-zone: keyfetch_done:dns_journal_write_transaction -> unexpected error named[652] managed-keys-zone: error during managed-keys processing (unexpected error): DNSSEC validation may be at risk ===>>> bind-tools-9.16.6 ===>>> bind916-9.16.6_1 (This is the newest version available to me in FreeBSD ports) -- HILLBILLIES ARE PEOPLE TOO Bart chalkboard Ep. AABF11 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: It is too hard for me to read from this mailing list
uninteresting From: bind-users on behalf of Michael De Roover Sent: Wednesday, September 23, 2020 5:08 PM To: bind-users@lists.isc.org Subject: Re: It is too hard for me to read from this mailing list On Mon, 2020-09-21 at 16:15 -0400, Allen Chen wrote: > I am using Thunderbird to read the emails. Should I use something > else > to read it? Any suggestions are welcome. Here I use Evolution these days, since it does a lot of "stuff" that Thunderbird can't or needs add-ons to do. Especially mailing lists ended up being so underwhelming in Thunderbird, while in Evolution I find them pretty straightforward to browse. Also GPG integration in Evolution (actually integrates with the system keyring without needing add-ons etc) and how it shows you which parts of an email are signed by putting a green square around it (useful for signed emails from e.g. security mailing lists), and so on. Definitely recommended! -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: It is too hard for me to read from this mailing list
On Mon, 2020-09-21 at 16:15 -0400, Allen Chen wrote: > I am using Thunderbird to read the emails. Should I use something > else > to read it? Any suggestions are welcome. Here I use Evolution these days, since it does a lot of "stuff" that Thunderbird can't or needs add-ons to do. Especially mailing lists ended up being so underwhelming in Thunderbird, while in Evolution I find them pretty straightforward to browse. Also GPG integration in Evolution (actually integrates with the system keyring without needing add-ons etc) and how it shows you which parts of an email are signed by putting a green square around it (useful for signed emails from e.g. security mailing lists), and so on. Definitely recommended! -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AppArmor, DHCP, Bind9 issue
Hi Olivier, we on Fedora use SELinux, but have similar problem. I think you should move db.bar.com to /var/lib/bind instead. That means, copy the file there. Leave symlink in /etc/bind to /var/lib/bind if necessary. Primary place after dynamic update must be in directory writable by named. It should not be directory /etc/bind. Keep journal file in the same directory. It belongs together. SELinux would keep label on move from /etc/bind to /var/lib/bind. Thats why I suggest copy it there and then remove original file in /etc/bind. Might be unnecessary under AppArmor, not sure. Make sure the zone file is writeable by bind user. # chgrp bind /var/lib/bind/* && chmod g+w /var/lib/bind/* I would propose to omit using /var/cache directory for type primary; I think there should be secondary copies only. As cache directory means it can be cleaned without data loss. You should backup /var/lib/bind, there are primary data. They have no source from which they can be fetched after delete. Secondary zones have that. I am not sure how AppArmor handles permissions. On SELinux, you would have to restore contexts shown with ls -Z, by command restorecon -R /var/lib/bind. Check whether anything similar is required on AppArmor. Regards, Petr On 9/22/20 4:42 PM, Olivier wrote: > Hello, > > I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) > instance installed on a Debian Buster box. > Both come from Debian stable repo. > > I would like my DHCP server to update Bind9 database when leases are > allocated to DHCP clients. > > I followed instructions from [1]. > I then met the following error: > Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400 > audit(1600697874.163:25): apparmor="DENIED" operation="mknod" > profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 > comm="isc-worker" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 > Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: > permission denied > > I edited /etc/apparmor.d/usr.sbin.named and it now includes the following > content: > ... > # /etc/bind should be read-only for bind > # /var/lib/bind is for dynamically updated zone (and journal) files. > # /var/cache/bind is for slave/stub data, since we're not the origin of > it. > # See /usr/share/doc/bind9/README.Debian.gz > # Next line added to work around apparmor issue > /etc/bind/*.jnl rw, > # End of addition > /etc/bind/** r, > /var/lib/bind/** rw, > /var/lib/bind/ rw, > /var/cache/bind/** lrw, > /var/cache/bind/ rw, > ... > > Now, /var/log/syslog includes: > Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key > ddns_update: signer "ddns_update" approved > Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key > ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A > 192.168.42.104 > Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key > ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' > TXT "0097d51fa2194acbea0809316da0885aa0" > Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: > permission denied > > ls -l /etc > drwxr-sr-x 2 root bind 4096 sept. 21 16:01 bind > > ls -l /var/cache > drwxrwxr-x 2 root bind 4096 sept. 22 16:25 bind > > ls -l /var/cache/bind > lrwxrwxrwx 1 root root 23 sept. 21 14:29 db.192.168.42 -> > /etc/bind/db.192.168.42 > lrwxrwxrwx 1 root root 29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com > -rw-r--r-- 1 root root 0 sept. 21 16:36 db.bar.com.jnl > ... > > How can I solve this ? > > [1] https://wiki.debian.org/DDNS > > Best regards > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about "max-cache-size" value
Hello, I have a question about the "max-cache-size" parameter for named.conf. I'm thinking about this parameter value, How does everyone tuning this value? Would you let us know if you have any recommendations? How is memory used for "named". Such as to how allocated process memory, heap, cache-memory-space and more. Should not be used the value of "unlimited"? Thank you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntex for primary/secondary
> Not yet. In 9.12 we added "primary" and "secondary" as synonyms for > the "master" and "slave" zone types, but we didn't touch any other > syntax. > In 9.17/9.18, we're going further: "primaries" will work in place of > "masters", and "primary-only" in place of "master-only". Hi Evan, In your email from July 5, you mentioned that primaries will work in the 9.17 branch. I use FreeBSD which is on the 9.16.x train. Can you please commit the code change to the 9.16.x branch to make the 'primaries' work in the ESV branch? I'm a long time bind user, and support your organization making these small, but important changes. Thanks, Rudy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users